Ledger CTO on Recover private key access: 'The tradeoff, I think, is acceptable'

Executives at cryptocurrency hardware wallet maker Ledger struggled yesterday to explain to loyal users that its new Recover product may allow access that can unlock the device, but in a way that still remains secure. That resulting public relations mess continued today, as the company deleted a tweet that had said Ledger's firmware "facilitates key extraction" — which is usually the opposite of what people want from a hard wallet. 

Customers had clearly assumed that there was no way for their private keys — a 24-word seed phrase used as a password to unlock a wallet — to ever leave a Ledger hardware wallet.

But Ledger CTO Charles Guillemet said yesterday that with Recover, users can now permit the software running inside a Ledger wallet to allow private keys to leave the device in the form of encrypted "shards" that can be recombined to recreate the seed phrase. Ledger has said that the Recover tool is optional for users.

Some users “were a little bit surprised to understand that,” he said on the Bankless podcast. “The software running inside the secure element is something that can be changed, is something that has access to the secret.”

“The tradeoff, I think, is acceptable,” he said. This, Guillemet contended, is because Ledger Recover is aimed at people who want more security than that provided by an online exchange or an online wallet but are still too inexperienced to want to own an offline, hardware, cold wallet from which a password can never be recovered if lost.

Ledger customer support has a bad day on Twitter

Earlier in the day, before Guillemet's podcast appearance, the Ledger customer support Twitter account pointed out to users in a since-deleted tweet that the software on Ledger wallets has always permitted “key extraction”:

That statement caused a sharp reaction among hardcore users, so the company later added a second tweet:

Now, the original tweet has been deleted. The support account said it did so because "we don't want people to continue to be confused by this, and are replacing it with Tweet threads which address all frequently asked questions and concerns in the most understandable and accurate way possible."

Recover isn't a replacement for Ledger's traditional product 

Guillemet explained on the podcast that the Recover product was not intended as a replacement for Ledger’s traditional product, which maintains the keys on the device, can never be accessed remotely, and requires an owner to store their seed phrase with no backup if lost.

Rather, he said, “most crypto owners are using exchanges to custody their assets or are using software wallets. The reality is that self-custody seems a little bit complex, maybe is a little bit complex for newcomers, and people can be afraid of it. … When you are not tech savvy this thing can be frightening.”

“We need to find a way for newcomers in order to enable mass adoption," Guillemet continued.

Guillemet went on to say that “in self-custody there are different shades of grey, different levels of trust." At one end you have accounts on centralized exchanges where the customer’s wallet is in full custody of the exchange. In the middle you have online wallets accessible only with a seed phrase — they are more secure but they are still online “hot” wallets. And then at the other end are hardware, or “cold” wallets, disconnected from the internet.

It's all about the shards

Ledger Recover splits a user’s seed phrase into three encrypted “shards” which are then shared with three different companies: Ledger, Coincover, and a third unnamed provider. Anyone who loses their seed phrase can recover it by proving their identity to two of the companies and combining two shards to recreate the third, thus regaining access to the wallet. The original seed phrases do not leave the wallet, only encrypted pieces of them.

It “gets one step closer to self-custody and self-sovereignty,” Guillemet said. "When you use this feature, I agree you are doing a small tradeoff where you are saying, ‘I am not completely self-sovereign, I am not the only one able to manage my backup’. But the tradeoff, I think, is acceptable because … you have to have at least two out of the three shards to be able to combine the secret. … So this is the tradeoff you have.”

Guillemet also added that the cryptographic element only operates inside the secure element of the wallet so that extraction of the seed never has to leave the device if users do not want to use the Recover feature. “This part is really, really important and it never changed.”

(Updates to clarify headline.)